Disclosure of Tax Returns

Robert Broxup

This week David Cameron and other members of parliament disclosed their tax returns to demonstrate that they have not participated in tax avoidance schemes. Nobody found evidence of wrong-doing, although the disclosure identified some tax arrangements as morally unacceptable. Now that some politicians have disclosed tax returns since taking office, there is more pressure to reveal historical information and the net is widening to include other politicians. To what extent has this disclosure set a dangerous precedent, and can it be considered an irresponsible act?

From a recruitment perspective, we already have requirements for credit checks to be performed in some professions as part of due diligence, and occupational health checks have almost become a de facto standard upon commencing employment. Is the disclosure of tax returns, albeit with the best of intentions, the first step towards employers demanding to see tax returns from their employees? Will mistakes made completing tax returns come back to haunt candidates? We have already seen cases where job applicants have written something as a teenager on social media only to have their comments reviewed years later as an indication of their suitability to do a specific job.

Tax returns are supposed to be private and confidential. If someone is under suspicion of abusing the tax system, it is the responsibility of HMRC to investigate and to provide a determination using laws that are in place.

Of course, specific information is needed during the recruitment process to demonstrate a capability to do the job for which candidates are applying, but this does not include information such as date of birth, National Insurance number or full address. An employer doesn’t need these details until after a contract of employment is offered and accepted.

The problem is that job applicants will feel compelled to provide more information than is required. They will think that not providing the details may harm their chances of gaining employment; in other words, they feel they either disclose the personal information requested or lose the opportunity entirely.

Have we reached a point in time where the desire to provide transparency about who we are and what we have done is aiding and abetting people with criminal intent to use our personal information? Conversations about possible opportunities can entice personal details for identity theft and fraud, which are already at an all-time high.

Using Operational Data for Continuous Monitoring and Auditing (Part 2 of 2)

Robert Broxup

Undertaking a cyclical audit is better than no audit at all; however, risks remain in that problems identified during audits could have existed for a significant length of time. If for example user accounts are not deactivated promptly once a member of staff has left the company, someone else could use them.  Continuous monitoring and auditing allow quick identification and correction of problems.

Continuous auditing and monitoring have benefits across a multitude of business and technology functions. A combination of the following will allow the use of data efficiently and effectively to improve the business and the audit function.

  • With known controls which need to be audited, investigate the data sources required for monitoring and auditing, and how the data can be gathered and processed continuously to provide the necessary level of assurance
  • Investigate and analyse available data sources, gain insights from the data, and feed the options back to auditors

The insights demonstrate how existing data can be transformed into actionable intelligence to enhance audit effectiveness and mitigate risks.

Identity and Access Management

Below are example data sources and insights related to Identity and Access Management (IAM).

With access to the following data sources:

  • Master list of user accounts (authoritative data source)
  • Individual application user accounts
  • Application-level permissions (entitlements)
  • Current staff list
  • Application access log files
  • Business roles

Examination and data analysis will allow you to:

  • Identify active user accounts belonging to staff members no longer with the company
  • Identify where application permissions exceed those required for the user to perform their role within the company
  • Identify unusual or suspicious application and data access
  • Identify toxic access combinations
  • Use the data to identify where access management processes have failed

Software Asset Management

Below are example data sources and insights related to Software Asset Management (SAM).

With access to the following data sources:

  • Software licences purchased
  • Authorised devices on the network
  • User accounts
  • Software applications on individual devices
  • Application files on individual devices

Examination and data analysis will allow you to:

  • Identify immediately when the number of software installations exceeds the number of purchased software licences
  • Identify when someone installs unauthorised software on devices
  • Identify where dormant software installations may indicate underutilised resources, unused licences, or potential security risks.

Using Operational Data for Continuous Monitoring and Auditing (Part 1 of 2)

Robert Broxup

The financial services industry is experiencing seismic change with increased regulation, coupled with customer expectation for services to be delivered faster. Unfortunately, the shorter the customer journey, the less time is available to detect irregularities which may indicate fraud. Therefore, the objective is to identify potential issues as early as possible to allow corrective action. Continuous monitoring and auditing make effective use of data within an organisation to achieve this objective.

Companies undertake audits periodically to satisfy regulatory requirements or to adhere to internal policies. With vast amounts of data available across multiple systems, organisations can now collect and process data daily or in real time using dashboards, and provide detailed reports to auditors to verify compliance. Where the data indicates that one or more processes have failed, the business can take corrective action.

Problems identified during official audits undertaken by regulators and authorities can have serious consequences such as revocation of licences or imposed financial sanctions. Additional lines of defence help mitigate this risk:

  • Departmental monitoring and auditing – performed within the department checking their adherence to standards and procedures; including other monitoring which forms part of standard processes such as security monitoring and fraud detection.
  • Internal audit – undertaken by an internal team that looks at the business – results from internal audits influence the creation and adaptation of standards, procedures and controls to strengthen and protect the company.
  • External audits – as with internal audit, the results influence standards, procedures and controls. However, external audits can be statutory or voluntary, and undertaken by a third party.

With traditional auditing, controls are identified manually, performed cyclically such as every six months or annually depending on the risks, and assessed and tested based on a sample of data. With continuous auditing, the process is automated, repeatable and provides greater insight into potential threats.

  • The more data sources available, the greater the reporting capability. Every new data point adds an extra dimension of reporting and insight.
  • Continuous monitoring, auditing and exception reporting will increase operational efficiency and reduce risks.
  • Data sources can be used efficiently with ad hoc reporting to support audit activities and quickly investigate specific incidents.
  • Ad hoc reporting can be adapted to become part of continuous monitoring and auditing activities.
  • Data can be analysed to identify potential problems and determine where standards and procedures are missing.

Winning the lottery or failing the bus test

Robert Broxup

Is your business at risk because critical functions or knowledge are vested in one person? What happens if this person wins the lottery and resigns, or worse still, hit by a bus? The bus test is a thought experiment for considering and exploring the consequences of losing a critical person. In some cases, a warning of impending change is available such as receiving a resignation letter. In situations such as personal injury or fatality, the changes are instantaneous, and businesses need to be resilient to such challenges.

In the case of small businesses, the death of one person can trigger the end of the company, and consequently, key-person insurance policies have become popular. Essentially the business takes out an insurance policy on key members of staff, pays the necessary premiums, and is the beneficiary in the event of death or injury, which prevents the key person from working.

Large businesses also have the option of taking out key-person insurance.  However, the issue is that staff often become key persons over time. Undocumented activities and processes become ingrained into the daily routine, others become dependent on them, and it becomes business as usual without further consideration.

There are common signs which indicate a failed bus test:

  • Unable to achieve something because someone has taken the day off. Make sure there are no dependencies on specific individuals.
  • Requesting information from a department and being told ‘Joe is the expert, you will need to speak with him’. Knowledge critical to the day-to-day running of the business should always be shared between team members and thoroughly documented.
  • Individuals within the business keeping crucial information to themselves and being evasive when asked, rather than openly sharing their knowledge with others. A misconception on the part of some staff that if they are the only person who knows something or able to do something specific within their working environment, that their employer must keep them or pay more for their work. In practice, the reverse is true; it is less risky to remove them than to be held over a barrel.
  • Staff using a different approach, different tools, or additional software from everyone else to get the job done. Having a standard way of working and using specific software means that work is transferable between staff. One person choosing a different programming language from everyone else, for example, could make it impossible for other team members to make changes.

Avoiding scenarios that fail the bus test requires a different mindset:

  • Adopt the notion that process is equal to, or more important than, the outcome
  • Ensure that all actions within the business are documented and repeatable
  • Remember that people follow processes, and processes deliver consistent results
  • When you complete business recovery exercises, randomly remove people who have been ‘impacted’ by the scenario and see how the recovery progresses without them.